Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #44

June 05, 2007

Two gifts: Just released: a longitudinal study of security and audit salaries from 1999 to 2007. If you'll complete the 2007 Salary Survey (it takes 3-6 minutes), we'll give you the executive summary of the longitudinal analysis (telling where salaries went up and down the most, and why). The salary survey is at:http://www.surveymethods.com/EndUser.aspx?F7D3BFA2FFB4A7

Secure Programming: We've also added a bonus report at the end of this issue. It is called SANS Software Security @RISK: Secure Coding Error of the Month. It is a free educational service for programmers that IT security managers or development managers may distribute to programmers and testers. Each monthly issue takes a recent critical vulnerability - - one that did some real damage -- and shows the exact programming error that allowed the application to be exploited. This first issue focuses on an Apache Webserver error. We are announcing it as part of the run up to the Application Security Summit in Washington later this summer. More info on the Summit at http://www.sans.org/appsummit07/

Alan

PS. Tomorrow (6/6) is the final day for early registration discounts for SANS biggest training program in Washington (SANSFire 2007 July 25 - August 3) Data at http://www.sans.org/sansfire07/

TOP OF THE NEWS

Government Security No Better One Year After VA Data Breach (June 4, 2007)

One year after the theft of a laptop computer holding personally identifiable information of 26.5 million US veterans and active duty members, a study has found that data security in the federal government has not improved. The study surveyed 258 federal employees. Forty-one percent of the respondents use laptops for work. Of those, 48 percent said they received training following the theft of the VA laptop; 16 percent of the respondents said their agencies did nothing in reaction to the theft. According to the study, 58 percent of federal workers who are not official telecommuters still work at home, many using their own, less secure computers. Forty-one percent of those who are not official telecommuters log on to government systems from home. -http://www.informationweek.com/management/showArticle.jhtml?articleID=199901028&amp;cid=RSSfeed_TechWeb-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=government&articleId=9023098&taxonomyId=13&intsrc=kc_top[Editor's Note (Kreitner): It's time for agency executives to implement tougher accountability policies for their people entrusted with information assets. For example, a specific person should be designated as the responsible person for every laptop that is issued. Termination or at least a significant demotion should be the clear penalty for losing it or for failure to follow established configuration, patching, and encryption policies. Only when agency leaders demonstrate a more resolute, tangible and enforceable commitment to improving the security of the information assets within their spheres of responsibility, will things begin to improve. (Schultz): These findings are not at all surprising. Until US government employees are held accountable for their security-related actions (or lack thereof), they will continue to be deficient in their practice of security. ]

California state lawmakers are considering legislation that would require any organization in the state that processes credit and debit card transactions to comply with certain requirements regarding data security and breach notification. Merchants would be barred from storing authentication data, including card verification value and personal identification numbers. Merchants would also be required to use strong encryption when storing and transmitting card data. Organizations that experience breaches would be required to reimburse financial institutions for costs incurred, such as notifying customers of the breach and reissuing cards. The bill would also allow financial institutions to provide more detailed information about data security breaches, including what types of data were compromised and where the breach occurred. The bill is presently in committee; if it is approved, it will go before the full state assembly for a vote on June 8. From there, it would require state senate approval and the governor's signature before it becomes law. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9022358&taxonomyId=17&intsrc=kc_top[Editor's Note(Schultz): Minnesota has already passed legislation of this nature. If this legislation passes in California, the most populous state in the US, I predict that the momentum for passing national legislation of this nature will grow to the point that it will be difficult to stop.]

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

ChoicePoint Settlement (June 1, 2007)

Georgia-based data broker ChoicePoint has reached a legal settlement with the attorneys general of 43 states and the District of Columbia regarding allegations it did not adequately protect consumer data. ChoicePoint acknowledged in February 2005 that it had exposed parts of its consumer database to thieves posing as legitimate businesspeople. ChoicePoint notified more than 145,000 consumers that their personal data had been compromised. Under the terms of the settlement, ChoicePoint will implement stronger methods to guard the privacy of personal information. In addition, the company will abide by new verification procedures to ascertain that an entity requesting information is in fact a legitimate business. The settlement also includes a lump sum payment of US $500,000 to be shared among the states. -http://sanantonio.bizjournals.com/albuquerque/stories/2007/05/28/daily27.html-http://www.smh.com.au/news/Technology/ChoicePoint-Settles-With-43-States-DC/2007/06/01/1180205461106.html[Editor's Note (Liston): So, based on this, the going price for exposing someone's personal data is $3.45. Heck, I'll pitch in five bucks... Who wants to know my ex-wife's SSN? ]

Former Manager Pleads Guilty to Stealing Computers (May 31, 2007)

A man who once managed the San Jose (Ca.) Medical Group's McKee branch has pleaded guilty to stealing computers and a CD that contained personal medical information of approximately 200,000 patients. Joseph Nathaniel Harris managed the practice between August and September 2004; two computers and the disk were reported missing in March 2005. At that time, the medical group sent letters to approximately 185,000 patients to notify them of the data security breach. The complaint against Harris alleges he stole the computers in late March 2005. Shortly before that theft, computers were also stolen from another of Harris's former employers. All of the stolen computers were all found for sale on Craigslist with email addresses linking them to Harris. The disk was found in Harris's car. Harris was indicted in January 2006. If convicted of all charges against him, Harris could be sentenced to 10 years in prison and fined US $250,000 and ordered to pay restitution. -http://www.mercurynews.com/ci_6029308?source=most_viewed-http://sanfrancisco.fbi.gov/dojpressrel/2006/sf011906.htm-http://sanfrancisco.fbi.gov/dojpressrel/2007/sf053107.htm

POLICY & LEGISLATION

New Hampshire Law Bans Real ID Bill (June 4, 2007)

New Hampshire is joining a growing number of states in passing legislation that rejects the federal government's Real ID Act. The US Congress passed Real ID in 2005. The bill requires that driver's licenses and other state-issued identification cards include a bar code and a digital photograph. Citizens would need compliant cards to enter federal buildings and nuclear power plants and board commercial aircraft. The US government established a May 2008 deadline for compliance; it can be extended on a case-by-case basis through December 2009. New Hampshire's law calls Real ID "contrary and repugnant" to both the state and US constitutions. The governor plans to sign the bill into law soon. Among concerns cited are the cost of implementing the new requirements and the potential violation of citizens' privacy. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=294226&source=rss_topic17[Editor's Note (Liston): Unfortunately, now that we're one year away from the deadline for compliance, taking a moral stance against Real ID simply looks self-serving. This was "contrary and repugnant" to the Constitution back in 2005 when it was passed. Waiting until now to climb up on a soapbox simply makes it look like states are trying to skirt the issue. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

iTunes Music Files Contain Personal Information (June 1, 2007)

Music tracks sold through iTunes have been found to contain the buyer's personal information. Names, account information, and email addresses are embedded in the purchased tracks, both those with digital rights management (DRM) protection and those without. Some have speculated that this is a measure to fight piracy; if the tracks appear on a file sharing network, they provide a simple way to find out who originally bought the music. -http://news.bbc.co.uk/2/hi/technology/6711215.stm[Editor's Note (Ullrich): I don't see this as a problem. Apple adds a buyer's name to the file. The buyer is not supposed to pass on the file as part of licensing restrictions. Simply marking the file with a users name sounds like a very reasonable thing to do. (Liston): This is, to put it bluntly, much ado about nothing. This meta-data exists in *ALL* iTunes downloads, with or without DRM. People complained about the inability to load DRM crippled songs onto all of their devices, and Apple responded with higher quality, non-DRM music. Now, suddenly, having your name embedded in the non-DRM music file is an issue, when it wasn't an issue when that same song was locked down with DRM. Why? ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Critical Flaw in F-Secure Software (May 30 & June 1, 2007)

F-Secure has released a security bulletin warning of a critical buffer overflow vulnerability in several of its products that could be exploited to execute arbitrary code or create denial-of-service conditions. The flaw lies in the way the software processes LHA archives, and affects versions of the software for both Windows and Linux. F-Secure's bulletin provides options for mitigating the flaw, including both upgrades and workarounds. -http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62017679-39000005c-http://www.f-secure.com/security/fsc-2007-1.shtml-http://www.kb.cert.org/vuls/id/381508[Editor's Note (Liston): Code to do data parsing or protocol decoding is perhaps the most "dangerous" thing any programmer can write. Doing these things well requires a good, defensive programming mindset which is, in essence, a strong determination to not make ANY assumptions about the data you're being presented. These kinds of errors are especially distressing in software designed to protect systems from attack. ]

A computer disk containing personally identifiable information of Fresno County (Ca.) home health care workers and their clients is missing. The disk was sent via courier from a county office to the office of a software vendor in San Jose. The information on the disk was being used to determine eligibility for healthcare benefits and includes names, addresses and Social Security numbers (SSNs). The data were not encrypted. The courier service reported that the disk had been delivered to the software vendor. The vendor's CEO, however, says the disk never arrived. The county did not require a signature for proof of receipt. This particular vendor works with other counties as well, most of which send their data encrypted via a secure Internet connection. -http://www.fresnobee.com/263/story/51168.html

MISCELLANEOUS

Mother's Keylogger Helps Nab Online Predator (June 1, 2007)

A UK mother concerned about her son's online activities installed keylogging software on his computer. When she retrieved the data, she learned that a man from the US had been "grooming" her 15-year-old son for abuse. She contacted the police, who in turn notified US Immigrations and Customs investigators. Jason Bower was arrested last November as he boarded a plane bound for England to meet the boy. Bower has pleaded guilty to charges against him and will face a minimum prison sentence of five years. -http://www.theregister.co.uk/2007/06/01/spyware_mum_foils_pervert/[Editor's Note (Kreitner): Way to go, Mom!!]

Are You Stuck Doing Certification and Accreditation Reports? (Advertisement)

Are you stuck doing Certification Accreditation (C&A) tasks and don't know how to use FISMA to help make a difference? A new course being offered by SANS at Virginia Beach, VA, Aug 25 - Sept 1, will help you unravel the mysteries of C&A. Laura Taylor, author of the FISMA Certification & Accreditation Handbook, will teach this all new course for you to learn the general concepts required to create the broad knowledge base necessary in order to position your career for segue into any C&A project. Ms. Taylor teaches from experience having successfully managed numerous C&A projects for various U.S. federal agencies towards positive accreditations. For course information and to register for FISMA 101: Certification & Accreditation Concepts, go to -http://www.sans.org/vabeach07/description.php?tid=1127=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

The apache.org foundation reports that more than 10 million copies its Apache Tomcat package have been downloaded, providing Java servlet functionality for web servers throughout the world. Moreover, Tomcat is frequently used as a standalone web server in high-traffic and high-availability environments where sensitive and valuable information are stored.

So a programming error by one of the Tomcat developers is a BIG error. If it opens a security hole, millions of people now need to patch their systems. It is an even bigger problem because, sadly, thousands or tens of thousands of sites will not install the patch, possibly because no one will tell them about the need to do so, and will become victims of data theft, extortion, and other cyber crimes.

As you read this first edition of SANS Software Security @RISK newsletter, note how little effort would have been needed to avoid the problem.

Buffer overflow is one of the oldest types of security vulnerabilities discovered as early as mid sixties. As the name suggests, the vulnerability arises when a programmer allows more data to be crammed into a storage area than the programmer had originally set aside. When the data overflows the reserved area, bad things often happen.

In early March, a critical buffer overflow was disclosed in versions of Apache Tomcat JK Web Server Connector.

This vulnerability is a stack-based buffer overflow. The flaw can be triggered by a long URI input to the mod_jk module. An unauthenticated user can exploit this overflow by sending a large URI to execute arbitrary code of his choice on the server.

Information about the problem of interest to security professionals -- the vulnerable versions of Tomcat, damage that can be done, and exploits in the wild -- have all been well covered in SANS weekly @RISK newsletter and elsewhere (and are referenced at the end of this issue). Here we focus instead on the aspect of the problem relevant to programmers: the programming error that led to this huge problem?

What coding error was responsible for this vulnerability? - ------------------------------------------------------------------------

Buffer overflows arise because programmers forget to check that the length of data being copied into a buffer is less than or equal to the buffer size.

Let us now look at the vulnerable function that led to the Tomcat overflow.

The buffer overflow was found in the map_uri_to_worker() function that is defined in native/common/jk_uri_worker_map.c file.

Notice that "uri" is an input to the function. It is being copied into a locally declared variable url. url is a buffer of size 4096. However, the copy operation depends on the size of the input uri. There is no check in the function to stop copying if the length of uri is greater than the maximum length of url buffer i.e. 4096. This results in a stack-based buffer overflow, which is usually the simplest buffer overflow to exploit.

What did it take to fix the vulnerable function? - ------------------------------------------------

Introduce a check for the length of the uri that is copied into the url variable. ********** Fixed Code **********

============================================================ Copyright 2007, The SANS Institute You may distribute copies of Software Security @RISK to anyone within your own organization but you may not post it.